control mechanism is not configured to completely deny access but instead is configured to allow for the reading of the file but not for the writing of changes. Also, as with confi - dentiality, it is very important to correctly identify the individual seeking to make a change. This can only be performed through the use of identification and authentication. The use of computer file access controls works well if the files reside on a single com - puter system or a network within the control of the organization. What if the file is to be copied to other parties or organizations? In this case, it is clear that the access controls on a single computer system or network are insufficient to provide protection. Therefore, there must be a mechanism that can identify when an unauthorized change has been made to the file. That mechanism is a digital signature (see Chapter 12 for more detail on digital signatures). A digital signature on a file can identify if the file has been modified since the signature was created. In order to be worthwhile, the digital signature must be identified with a particular user; thus, the integrity service must work with the identifica - tion and authentication function. Integrity of Information Transmission Information can be modified during transmission. However, it is extremely difficult to modify traffic without performing an interception attack. Encryption can prevent most forms of modification attacks during transmission. When coupled with a strong identifi- cation and authentication function, even interception attacks can be thwarted (look back to Figure 3-2). Attacks That Can Be Prevented The integrity service can prevent successful modification and repudiation attacks. While any modification attack may change a file or information in transit, modification attacks cannot be successful if the integrity service is functioning properly as the unauthorized change will be detected. When coupled with a good identification and authentication ser - vice, even changes to files outside of the organization can be detected. Successful repudiation attacks cannot be prevented without both a good integrity ser - vice and good identification and authentication. In this case, the mechanism to detect the attack is a digital signature. AVAILABILITY The availability service provides for information to be useful. Availability allows users to access computer systems, the information on the systems, and the applications that per - form operations on the information. Availability also provides for the communications systems to transmit information between locations or computer systems. The informa - tion and capabilities most often thought of when we speak of availability are all elec - tronic. However, the availability of paper information files can also be protected. Chapter 3: Information Security Services 33 Backups Backups are the simplest form of availability. The concept is to have a second copy of impor - tant information in storage at a safe location. The backups can be paper files (copies of im - portant documents) or they can be electronic (computer backup tapes). Backups prevent the complete loss of information in the event of accidental or malicious destruction of the files. Safe locations for backups may be on-site in a fireproof enclosure or at a remote site with physical security measures. While backups do provide for information availability, they do not necessarily provide for timely availability. This means that the backups may have to be retrieved from a remote location, transported to the organization’s facility, and loaded on the appropriate system. Fail-Over Fail-over provides for the reconstitution of information or a capability. Unlike backups, systems configured with fail-over can detect failures and re-establish a capability (pro - cessing, access to information, or communications) by an automatic process through the use of redundant hardware. Fail-over is often thought of as an immediate reconstitution but it does not need to be configured in that manner. A redundant system could be located on-site to be readied for use if a failure occurs on the primary system. This is a much less expensive alternative to most immediate fail-over systems. Disaster Recovery Disaster recovery protects systems, information, and capabilities from extensive disas- ters. Disaster recovery is an involved process that reconstitutes an organization when en- tire facilities or important rooms within a facility become unavailable. Attacks That Can Be Prevented Availability is used to recover from denial-of-service attacks. There is no way to prevent a DoS attack, but the availability service can be used to reduce the effects of the attack and to recover from it by bringing systems and capabilities back online. ACCOUNTABILITY The accountability service is often forgotten when we speak of security. The primary rea - son is that the accountability service does not protect against attacks by itself. It must be used in conjunction with other services to make them more effective. Accountability by itself is the worst part of security; it adds complications without adding value. Account - ability adds cost and it reduces the usability of a system. However, without the account - ability service, both integrity and confidentiality mechanisms would fail. 34 Network Security: A Beginner’s Guide Identification and Authentication Identification and authentication (I&A) serves two purposes. First, the I&A function identifies the individual who is attempting to perform a function. Second, the I&A func - tion proves that the individual is who he or she claims to be. Authentication can be ac - complished by using any combination of three things: ▼ Something you know (like a password or PIN) ■ Something you have (like a smart card or a badge) ▲ Something you are (like fingerprints or a retina scan) While any single item can be used, it is better to use combinations of factors such as a password and a smart card. This is usually referred to as two-factor authentication. The rea - son that two-factor authentication is deemed to be better than a single-factor authentica - tion is that each factor has inherent weaknesses. For example, passwords can be guessed and smart cards can be stolen. Biometric authentication is much harder to fake but indi - viduals can be compelled to place their hand on a handprint scanner. In the physical world, authentication may be accomplished by a picture ID that is shown to a guard. This may provide sufficient authentication to allow an employee to en- ter a facility. Handprint scanners are also often used to authenticate individuals who wish to enter certain parts of facilities. The authentication mechanism is directly tied to the physical presence and identity of the individual. In the electronic world, physical authentication mechanisms do not work as well. Tra- ditionally, the authentication mechanism that has been used for computers is the pass- word. The identity of the individual is linked via a user ID that was established by a system administrator. It is assumed that the administrator had some proof that the indi- vidual receiving the user ID was in fact the individual being identified. Passwords alone are a single factor of authentication and thus inherently weak. Unlike in the physical world, there is no guarantee of the physical presence of the individual. That is why two-factor authentication is advocated for use with computer systems. It provides a stronger authentication mechanism. I&A obviously provides assistance to the computer file access controls that provide confidentiality and integrity of electronic files on computer systems. I&A is also impor - tant with regard to encryption and digital signatures. However, the I&A in this case must be transmitted to a remote user. The remote user proves his identity to the local mecha - nism and provides proof to the far end of the connection. For example, Figure 3-4 shows how a digital signature is used for I&A when sending a message. The user first must au - thenticate to the mechanism that protects the signature on his local machine. The local machine then allows the use of the signature mechanism and sends the authenticated message. The user who receives the message then uses the digital signature as proof that the sender was the author of the message. In many ways the I&A mechanism becomes the key to the other security services within an organization. If the I&A mechanism fails, integrity and confidentiality cannot be guaranteed. Chapter 3: Information Security Services 35 36 Network Security: A Beginner’s Guide Audit Audits provide a record of past events. Audit records link an individual to actions taken on a system or in the physical world. Without proper I&A, the audit record is useless as no one can guarantee that the recorded events were actually performed by the individual in question. Audits in the physical world may take the form of entrance logs, sign-out sheets, or even video recordings. The purpose of these physical records is to provide a record of ac - tions performed. It should also be noted that the integrity service must guarantee that the audit records were not modified. Otherwise, the information in the audit log becomes suspect as well. In the electronic world, the computer systems provide the logs that record actions by user IDs. If the I&A function is working properly, these events can be traced back to indi - Figure 3-4. I&A mechanisms for remote communication viduals. As with paper records, the audit logs on a computer system must be protected from unauthorized modification. In fact, audit logs must be protected from any modifica - tion whatsoever. Attacks That Can Be Prevented The accountability service prevents no attacks. It works with the other services, spe - cifically confidentiality and integrity, to properly identify and authenticate the indi - vidual who is attempting to perform an operation. The accountability service also provides a record of what actions were taken by the authenticated user so that the events can be reconstructed. Chapter 3: Information Security Services 37 This page intentionally left blank. PART II Ground Work 39 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. This page intentionally left blank. TEAMFLY Team-Fly ® . or a network within the control of the organization. What if the file is to be copied to other parties or organizations? In this case, it is clear that the access controls on a single computer. signature was created. In order to be worthwhile, the digital signature must be identified with a particular user; thus, the integrity service must work with the identifica - tion and authentication. conjunction with other services to make them more effective. Accountability by itself is the worst part of security; it adds complications without adding value. Account - ability adds cost and it